Compliance with data protection regulations such as the European GDPR or the Brazilian LGPD aren’t optional. Every business processing personal data from individuals who are protected by these regulations are legally obliged to comply or otherwise they could face a hefty fine, and start-ups are no exception to that.

The size of a business is not a direct indicator on the volume of personal data processed, neither the level of risk involved on processing (special) categories of data. Even early-stage start-ups often process large amounts of personal data and run automated decision-making algorithms on the data sets, especially in the fields of AI, machine learning and IoT. These companies and their business models only make sense with collecting and modifying (personal) data. Lots of it.

Most start-ups at some point venture out to look for external funding in order to grow and scale. To assess a business for a potential investment, investors have developed sophisticated due diligence frameworks to analyse an opportunity against its risks. External and internal factors such as consumer behaviour, market growth, market adoption rate, team expertise, business model scalability and others go into the mix and are weighted against each other according to the risk appetite of the fund, accelerator or the investor and the stage a business is at.

As part of that due diligence process, we wanted to know how much the factor of ‘data privacy’ and compliance with privacy regulations plays a role for investors and whether this variable could (or should) influence an investment decision to the extend that it could be a deal breaker.

We have spoken with three individuals from the VC investment and accelerator world from Germany, the UK and Brazil about this topic to get their thoughts and observations, giving us an insight how investors perceive ‘data privacy’ at different growth stages of a start-up in different markets.

• Ralph Zeller is a Development Manager at Wayra Germany, an international accelerator programme that offers to selected start-ups the opportunity to pilot their solution with telecommunications giant Telefónica;

• Bruno Betenson from BigBets, an early-stage VC from Brazil that works closely with and provides hands-on support to the companies they invest in; and

• Devon Zimmerling an early-stage VC in the UK who has invested in companies across UK and Europe at pre-seed through series A stage.

Betenson, who focuses on early-stage investments, says that the start-ups they usually invest in “…aren’t confident about their business model yet. So they’re testing and pivoting.” He continues “It doesn’t make sense to focus on data privacy if you haven’t figured out your business model and how to scale it.”

At the same time Betenson recognises the importance of data privacy when looking at start-ups for investment, but that in itself poses a challenge: How do you consider data protection compliance for companies that haven’t fully validated their business model yet?

Betenson looks at it as a calculated risk factor in the medium to long-term. “Investors invest in companies they expect to become big in the future, and data privacy will continue to get more important. It’s necessary to include data protection compliance as part of the due diligence process today.” He adds that “The challenge is, in terms of data privacy, we need to make a decision based on the future of the company and its capabilities to deal with regulatory obligations and not so much on where the company is at today with compliance.”

For BigBets data protection compliance is not so much a deal breaker because of the stage they’re investing in. Their investment decisions are largely driven by the capabilities of the (founding) team, their expertise and their ability to adapt quickly as the company grows. If they believe the team wouldn’t be able to cope with compliance requirements when it becomes a greater necessity then this indeed could stop them from investing.

Zimmerling puts it slightly differently. When asked at which stage start-ups should consider data privacy she responded they need to do so from the start. “You have to do the same if you are a financial services company, you have to comply with all sorts of rules and regulations and the same applies to data privacy, it’s not something companies can postpone to later. You can’t build the company with a mindset to worry about it at a later stage.”

However, she adds that the level of efforts that need to go into data privacy varies according to business stage and industry. “Early-stage businesses need to be able to show they thought about it” she says.

Generally, there was a common consensus among the interviewees that the higher the maturity of the business seeking funding is, the higher is the weight of data protection compliance as a deciding factor for investment.

Zimmerling says that due diligence on data protection compliance is generally lighter for early-stage start-ups than more mature ones, but just like with many of the other areas analysed during the due diligence process, the validation happens differently and assessing risks for early-stage businesses can actually be tougher.

She says “For later stage start-ups, investors can get second-hand due diligence validation essentially through their existing clients. Coming back to the example of the company that offers financial services, assuming that company has corporate clients already, it is likely they have gone through an array of audits in order to land those clients”.

She adds further “First hand validation is trickier, especially for pre-seed and seed stage most investors probably don’t have the expertise on how to assess data privacy requirements and the management of it within a company. Also, there is little to no external validation available. It’s a similar situation we know exists for investments in technology, where investors often don’t have the required technical expertise to assess if a team has actually the capability to build the product they’re pitching.”

Betenson observes a similar situation in Brazil but explains that “The LGPD and concept of data privacy is still something fairly new to Brazilians. Enforcement on companies hasn’t really happened yet. Investors will use the frameworks they have built to assess companies against certain skills but the maturity in assessing compliance with data privacy is reflected in the maturity of the market. The weight of it also heavily depends on the stage of the company. Series B or C investors take a much closer look at compliance, simply because of the stage the business is at.”

He adds that “At BigBets we work in close collaboration with our portfolio companies at a very early-stage. This puts us in a unique position to understand bottlenecks and to support the companies accordingly. For example in the case of any challenges with data privacy compliance, we can connect them with data privacy experts in our network.”

Many start-ups are in the business of analysing data and making value of (personal) data on behalf of large corporations. Corporations are constantly on the lookout for innovating but they’re also under a lot of pressure and much higher scrutiny when it comes to assessing vendors on compliance with regulations and security standards, including data privacy. Under these regulations, data controllers are responsible on assuring their vendors process personal data responsibly and tick the compliance boxes.

Zeller from Wayra says that “The start-ups need to care about data privacy in order to work with a big corporate client. If their solution does not meet the requirements, this can cause rejection of their product or service. Furthermore, they also do not want to risk any breach of the regulations as this would be costly and drag unexpected expenses to their accounts.”

When asking Zeller whether or not non-compliance with data privacy could be the make or break to get accepted into their programme, he highlights “Data privacy and data protection is an extremely important topic at Telefónica across all departments. The reason behind this is simply because the trust of our customers is absolutely essential for our business models at Telefónica. Furthermore, also out of our conviction, data privacy and compliance form part of our company values. Hence if we have doubts about whether or not a start-up is data protection compliant, this can definitely be a show stopper.”

Closing the cycle, start-ups that are able to land clients such as Telefónica often automatically pass on proving compliance for investors. Zimmerling concludes “This is where companies that went through these procurement processes already with existing clients have a better standing for investment”.

It is a common known that compliance with privacy regulations is for many a black hole and business leaders often don’t know how to deal with it. The investors agree that start-ups are no exception and their main challenge dealing with compliance is the lack of resources.

Zeller mentions he regularly sees that the assigned data protection officer (DPO) is often also the person that directly works with the handled data. This in itself is a non-compliant practice with the GDPR as the person could be ‘biased’ in their decision making on how to process the personal data. He says “This should not be the case, however, it is almost unavoidable”.

Bentenson shares from his experience with BigBets “It’s important for early-stage start-ups to focus. A common mistake I often see is that they try to solve a lot of stuff at the same time.” He adds “Companies need to find power in their strategy and this strategy may be viable through data, for example data that others don’t have. After you found a unique way in creating value with that data, then you need to check if there are any legal issues or not.”

Zimmerling says that “when companies scale, a lot of things can happen and go wrong. The truth right now is that data privacy is not at the top of concerns. A data breach is bad, but when looked at it in terms of weighted probability of bad outcomes, it’s not the highest concern.”

This often can influence how companies approach it: A calculated risk. However, while it’s understandable, she argues that “…compliance is a necessary requirement and I wouldn’t invest if start-ups didn’t take care of it. Compliance protects the bottom line.”

While investors look at the opportunity of the one big shot through growth and scalability, the need for risk mitigation strategies grow with the maturity of the business and their evidence (or lack) thereof can put investors of.

While start-ups still largely fall off the radar from authorities and the impacts of a data-breach are considered relatively low, as they’re scaling and growing their operations, the impact of data protection regulations and the meaning of data privacy also scale. Start-ups commitment to compliance and implementing privacy-by-design principles will fall under scrutiny even at the early stages, the question is no longer if but when.

Depending on the growth stage, segment and the kind of opportunity a start-up is pitching for, their audience may or may not has a higher sensibility on data protection compliance and start-ups need to evaluate and manage their efforts accordingly.

In order to land clients, start-ups will have to manage and prove commitment to data protection from a very early stage as clients have a legal obligation to assess them against that. Companies that provide this, can achieve higher confidence with customers which can lead to an uptake in sales and ultimately increase chances for investment.

Investors are aware of the risks and data privacy is gaining a growing role in their due diligence.